Krebs on Security

In-depth security news and investigation

Where Did That Scammer Get Your Email Address?

You’ve seen the emails: They claim to have been sent by a financial institution in a faraway land, or from a corrupt bureaucrat in an equally corrupt government. Whatever the ruse, the senders always claim to need your help in spiriting away millions of dollars. These schemes, known as “419,” “advance fee” and “Nigerian letter” scams seemingly have been around forever and are surprisingly effective at duping people. But where in the world do these scammers get their distribution lists, and how did you become a target?

Some of the more prolific spammers rely on bots that crawl millions of Web sites and “scrape” addresses from pages. Others turn to sellers on underground cybercrime forums. Additionally, there are a handful of open-air markets where lists of emails are sold by the millions. If you buy in bulk, you can expect to pay about a penny per 1,000 addresses.

One long-running, open-air bazaar for email addresses is LeadsAndMails.com, which also goes by the name BuyEmails.org. This enterprise is based in New Delhi, India, and advertises its email lists as “100% opt-in and 100 percent legal to use.” I can’t vouch for the company’s claims, but one thing seems clear: Many of its clients are from Nigeria, and many are fraudsters.

Stretching conspicuously across the middle of the site’s home page is a big green message to the site’s Nigerian clientele: “Don’t waste money/times/resources sending [Western Union or Moneygram], Use local deposit option.” The ad links to a page with a list of payment options, which shows that Nigerian customers can pay for their email lists by wiring the money directly from their bank accounts at several financial institutions in Lagos. BuyEmails.org further advises that, “Due to tremendously high rate of fraudulent payments we do not accept Credit Cards or PayPal. E-Gold has closed, so we don’t accept it either.”

The site sells dozens of country-specific email lists. Other lists are for oddly specific groups. For example, you can buy a list of one million insurance agent emails for $250. 300 beans will let you reach 1.5 million farmers; $400 closes on 4 million real estate agents. Need to recruit a whole mess of money mules right away? No problem: You can buy the email addresses of 6 million prospective work-at-home USA residents for just $99. A list of 1,041,977 USA Seniors (45-70 years old) is selling for $325.

If you don’t care much about who gets your emails, or if you want to target recipients based on their email provider, the price per address goes way down. Consider these offerings:

50 million AOL addresses: $500

30 million Hotmail addresses: $450

30 million Yahoo addresses: $400

5 million Gmail addresses: $350

Don’t have your own botnet or email infrastructure capable of sending so much email without getting shut down by your ISP? No worries: This company also sells “cheap bulk emailing solutions.” It offers bulletproof hosting, which is essentially a Web server equipped with Web-based email. “Totally anonymous – your ISP wont [sic] know that you are sending out bulk emails,” the advertisement reads. “Mail to 1000 recipients in seconds.”

I sought comment via email from the owner of these services, Vikram M. Gautam, but received no reply. Someone, who answered my Yahoo instant message at the support address listed on the site, wished me luck with my “story” (their quotes), but declined to chat further. A quick Google search shows that Gautam is president of Perfect Web Resources LLC, which is a division of an outfit called Perfect Web Technologies Inc., a company that claims to own several U.S. patents on methods for sending email. In 2007, Perfect Web Technologies sued another email list vendor — infoUSA — arguing that the latter had infringed upon its patents. A federal court later invalidated the patent in question, saying it was invalid because it described an obvious “common sense” process (the sending and re-sending of spam until all of the mail is delivered).

There’s a good chance that your email address is now a product in the underground marketplace. The next scam in your inbox may claim to have been sent by a banker or bureaucrat. But, the sender probably got your name from a wholesale list-seller, and not from a trusted friend. Of course, you know enough not to reply to these, don’t you?

If you don’t care whether spammers have your address and you’re not easily spooked, you might be interested in following the folks over at 419eater.com, a group of activists who not only track the 419 scammers but attempt to turn the tables on them. My favorite sections of that site are the 419 Eater Hall of Shame and the Letters area.

A screen shot of the Interactive scamtracker map from 419eater.com.

[EPSB]

Have you seen:

Is Your Computer Listed ‘For Rent’?…When it’s time to book a vacation or a quick getaway, many of us turn to travel reservation sites like Expedia, Travelocity and other comparison services. But there’s a cybercrime-friendly booking service that is not well-known. When cyber crooks want to get away — with a crime — increasingly they are turning to underground online booking services that make it easy for crooks to rent hacked PCs that can help them ply their trade anonymously.

Do you have friends who forward jokes, where the joke had obviously been forwarded thru many other people, and we see hundreds of their e-mails in the undeleted forwarding section? Know then if you forward jokes to those friends, your e-mail address will be forwarded to hundreds, maybe even thousands of other people, in the jokes package, of which some may be mining the collections for future spamming.

I would imagine that harvesting email addresses from joke/chain letter forwarded emails is much less enticing for spammers than in the past. As Brian outlined, spammers have more lucrative resources for obtaining email addresses these days.

Never the less, I ‘trained’ my mother to address her forwarding emails using the Bcc option. When she remembers, she even removes the email addresses from the previous recipients.

While it might be true there are easier sources for getting emails, these mass forwarding emails still contribute to the pool. People who mass forward are more likely to be complacent about security and when their computers or email accounts are compromised, all the email addresses are harvested and added to those lists sold to/by scammers.

There is another problem that makes those forwarding lists more valuable for a scammers, and that’s a list of people who are likely to know each other. A scam email message can be spoofed to be originating from one person on the list to another on the same list, thus increasing the chance it will pay off.

People you know are the ones that make me mad – so mad that revenge is often one option that comes to mind for repeat offenders.

Some people won’t take a kind request to cease and desist from using my personal email address for the idiotic forwarding of so called amusing or interesting email trivia.

Regardless of the tone of the request to cease (pleading, threatening, or just plain ‘don’t ever use my email address again’), they blitheringly continue to forward junk.

Where email ‘on forwarders’ are repetitive, will not take heed of ‘cease and desist’ privacy requests, is there a website where I can then add their email address to the spam subscription lists as a form of revenge? The people that repeatedly use the ‘To’ instead of ‘Bcc’ option for mass emails (salespeople are often the worst offenders here) are also prime candidates for adding to the ‘please spam me’ list.

I know it is against the spirit of discouraging the spread of badware, but cannot the baddies be utilised sometimes to get revenge?

There are many different ways of harvesting email addresses all the way from randomly generating user names and combining this with known email servers (@server.net) then checking the validity to hacking servers to get lists.

Consider that one can harvest emails from Facebook users now for example.

Frankly it’s probably more likely that an email is on some spammers list _somewhere_ than not.

Also it’s easy to find enormous lists of emails (think tens or hundreds of millions) for free around the various blackhat marketing forums although they usually arent as targetted as occupation or country as this service is.

There are lots of way’s that spammers, 419 scammers etc get e-mail address’s to spam and scam. Some are thru breaches like we have read about thru Epsilon, but there are a lot of websites where people have to sign up that take their sites members e-mail addresses and sell them and this is in despite of their so called privacy policy where they say they never do this! One of the biggest sellers of peoples personal e-mail adresses is the online survey comapnies who “promise” you can make money by doing online surveys…lol.. if you use a new e-mail adress and sign up for these sites only, wait and watch how much spam you start getting, from pills, to erectile dysfunction to 419 scammers…there are a lot of websites that sell theie members e-mail addresses for money, it’s another way they can make money on the sly…Privacy policies for some of these despite websites are more a formality then an actual followed policy.

Yes, its correct, one of my email address is targeted by spammers for so long coz I have naive enough reply to their products which was not true. And I have been a member of 419 Legal. Nigeria is one of the most notorious spammers in the internet. Nigerian also subscribed to dating website such as wayn.com to dupe female members.

Also be careful of sites that ask you to sign a petition or click a button to donate to a worthy cause, then ask for your friends’ email addresses to have them send an email in your name asking you to join the effort. A spammer mailing Storm Worm and Canadian Pharmacy spam got my spam free address when a relative found a site that said if you clicked, they would donate to feed puppies in an animal shelter.

Our church recently got an email from someone who had never signed the guest book who asked to be kept informed of any events at our church. We were suspicious “she” was hoping those announcements would come with a lot of cc’s and announcements of updated addresses. (We added an RSS feed to our website instead.)

And never give ANYONE the password to your email account to “invite all your friends.” I’m quite surprised how many supposedly reputable sites like LinkedIn and Facebook ask, and even more surprised how many of my friends go along with it.

I use the catch-all feature of Google Apps for my Gmail account. With that, when I register at a new site I sign up with a unique address and it gets forwarded to my actual account but with the address I can tell where it came from.

Then if I started getting spam to the address amazon@example.com, I would know who sold the address and be able to filter that e-mail straight into the trash.

I recently started receiving bank transfer-based, ETF phishing e-mails to my quicken@example.com address which was only ever used when signing up for the Quicken Online service. A comforting fact knowing what other information Quicken Online had stored.

Previously, Active.com continuously spammed magazine offers no matter how many times I unsubscribed using the address 5k@example.com and 5k2010@example.com which were only used to sign up for the same 5k two years in a row.

As good practice, personally I always try to keep on top of unsubscribing from newsletters and services I do not need or use. However, this can be double-edged sword. Let’s say you get an Email about some service that you never did sign up for, and there is an unsubscribe link at the bottom of the site, which may or may not link to the sender’s domain.

What caused this Email, and why would you not want to click the unsubscribe link? My guess would be that the Email address had been crawled/scrapped from anywhere on the web (for instance, a resume site; since this has been my experience) or that the spammers are targeting generic names (mbrown@ is a good one). Now, what happens if I click the unsubscribe link at the bottom of the Email for the service I never signed up for?

It confirms that a human has received the Email, which likely adds your Email address to a list that will continue to be targeted.

if the spammers were smart enough, they could then figure out a more likely guess of the company’s Email formatting (“mbrown” worked, maybe “cjones” will work, no more cycling through matt.brown, or mattb).

Well, I love starting a week off with one of your new posts anyway, Brian, but the link to 419eater is priceless. I have been laughing all morning while reading about the “scambaiters” engaging the scammers. They even offer a new “mentor” program, where you can receive tips and training on how to respond to your own scammers. I don’t think I have the nerve to actually do it, but it’s nice to think that at least some criminals are getting the receiving end of “what goes around, comes around”.

I have a bunch of different usernames at different websites I host, each with their own email address. All but 1 or 2 from each website have never been used before. The fact that I am getting spam at 7-8 email addresses that have never before been used is kind of shocking.

The worst social engineering is the sending of spoofed bounced email. They randomly populate the from fields in bounced email to look like your address, then you send an email to the contact info, or visit the site. There should be a much more widely available resource for beginning users to check the validity, or to at least explain what is going on.

I’ve seen this on some of my domains too – spam sent to email addresses I’ve set up but never used. My guess is that they hack into the hoster’s mail server, and directly harvest all the email addresses hosted for all the domains on that server. And since practically no one secures their mail servers adequately, I imagine this is very easy to do. There even used to be a commonly used legitimate tool (whose name I don’t remember now) that would list all the email addresses and their user names available on a mail server. I remember using it as a convenience, when I couldn’t remember exactly what email addresses my friends had, but I knew what the root domain they used was. Oh, what innocent days those were.

That could very well be the case. The domains I get spoofed spam email to (from never before used email addresses) are mostly 8-13 years old. I have one or two newer domains that do not get any spam email.

Still not sure how they were initially scraped, but the emails were probably added to a number of lists BK mentioned above.

I think you’re right, and it isn’t just for new domains. It looks more like they aren’t harvesting email addresses directly from mail servers anymore. At least I have one more data point to toss into that hat. My personal domain is 15 years old and I still get spam on email addresses I used and tossed years ago, but I’m not getting spam on addresses I’ve set up this past year, and I do use them. (But I use them very carefully, so as to avoid making spam bait out of them.)

Could be the case. Part of the problem with those web crawlers is that they would indiscriminately pick up the seeder email addresses used by anti-spam companies to build filters. It really hurts your biz when your spam campaign gets blacklisted minutes after kicking off.

I suppose using malware or purchasing email addresses helps mitigate that cost of doing business for the spammers.

There is much more spam being sent than most people know. Most people don’t realize how much of their spam is blocked by their ISPs before they ever see it, without regard to customer preference. I believe that in addition to blocklisting known sources of spam, Verizon still blocks *everything* sent from Asia, Africa, South America and Eastern Europe unless the senders’ ISPs get themselves whitelisted. Even if a Verizon customer chooses the option of not using Verizon’s spam filters, most of what is sent to Verizon email addresses never even gets as far as the spam filters. And as draconian as those measures are, Verizon’s user support forums are full of complaints from people who still feel they get too much spam. What gets in your inbox is not necessarily an indication of who has your email address.

It can be hard to convince your ISP to open the floodgates and let you filter your own spam, even if you have your own domain name. And considering they have to deal with the spam complaints if your mailbox goes over quota and you start returning (i.e., forwarding) spam back to forged “from” addresses, it’s easy to understand why.

Very true. When I need to find a scam email, I just open up the Gmail spam folder and can usually find several examples on the first page that were blocked within the last 24 hours. Here are three 419 scams that arrived in the last two days:

Attention Please, I am Mrs. Susanne Hosni Mubarak, the wife of the Former President of Egypt Hosni Mubarak. you may aware that my husband is presently facing trial on maladministration charges in Egypt and we his family members had moved to the estate in Sharm El Sheikh. all our documents had seized to prevent us from traveling, I need somebody from outside the country who I can introduce to my bank in Asia where I save US$50,000,000.00 (Fifty Million United States Dollars) to transfer the money into the person account for safety, Because they are planning to seize our assets, if you are capable to handle this, please Kindly indicate your interest and provide the basic information. Full name, Address, Age, and cell number. I will forward them to the bank immediately to transfer the money to you, I need your honesty and trust, if you are good to me I have more fund to entrust on your care, please get back to me, we will negotiate on the percentage that I will offer you. Of the total funds. I am waiting your urgent response on the my private Email for this business only.mrs.suzanne@azet.sk Yours faithfully. Mrs. Susanne Hosni Mubarak

==

My Dear Friend,

My name is Sarah Morris, who is diagnosed with oesophageal cancer. To cut the long story short, I have few hours left to live, depending on my surgery which will take place soon. Although I am rich, but it doesn’t matter anymore.
I want God to be merciful to me and accept my soul and so with that reason I decided to give what I have to charity and I never had children. I want this to be one of the last good deed on earth. I now give you the authority to dispatch my last funds to any charity of your choice.
I have Eleven million dollars in a financial institution. I want you to keep fifty percent of this amount for yourself and time, while you keep the other fifty percent to any charity of your choice. May God be with you as you carry out this task.I believe with this,
I can now be free to depart peacefully. You can then contact my lawyer who will assist you in getting the funds to you when I pass. He would give you more details. His name is Andrew Toland, and his email address (andtoland@aol.co.uk ) He would guide you through receiving the funds.
Lot of Love
Sarah Morris
===

Dear Friend,

It`s my sincere intention to contact you directly to seek business/
investment relationship with you.
My full Name is David Smith, A financial consultant / accountant, I’m
searching for a reliable and experience business partner. The investment
capital outlay is $10.5 Million Dollars and I would need your assistance in
the area of investing it in your country under your guidance or any country
of your choice.
Kindly provide your confidential contact for easy communication and to
enable us talk about the transfer of the funds and its investment. Here is
my private email ID for easy communication, davidsmith.smith539@gmail.com,
I will be waiting to read from you to enable me give you more details.

He, he, in the past I was following a similar website,http://www.419baiter.com
I noticed the oesophageal cancer was very popular choice among 419 scammers: it allows them an excuse not to engage in telephone contact, at least in the first phase of baiting. If the victim “bites” it seems in a lot of situations, they are passed on to more experienced fraudsters. This allows low-level fraudsters to screen responses and “sell” promising leads to top-level scammers.

“Verizon still blocks *everything* sent from Asia, Africa, South America and Eastern Europe unless the senders’ ISPs get themselves whitelisted.”
Comcast does the same. I have one correspondent in Eastern Europe with whom I email daily. Emails addressed to my comcast address that originate in that country are bounced back. The most frustrating part is that the bouncing does not happen 100% of the time, so we never know if the email will get thru or not.
I wrote to the Comcast customer service VP. They relaxed the restriction, but a few weeks later the rejections started to occur again.
You have to wonder why all email from my Eastern European correspondent arrives to my gmail and yahoo addresses without any problems, but presents a “danger” for comcast.

I wouldn’t have anything important sent to my Verizon address. I’ve been through the difficult process of getting whitelisting for a hosting company that happens to be located in Hong Kong. English is my native language, and I had trouble finding out how to do it. Despite a record of being very proactive at controlling spam, the host had been unsuccessful when they tried. Spammers have censored communication from Russia and China more effectively than the Communists could ever have hoped to do.

One of my domains has a mail server that has zero spam blocking. Then I can sort through the stuff that arrives myself. I have Mailwasher and can use Regex statements to set up very specific filters and whitelisting — very useful when reporting spam and receiving responses that quote the original message.

Hi, this is Mike from BotScout.com. We fight this kind of stuff every day, so I have some understanding of how emails are collected. The ways that spammers get email addresses vary considerably….

Often they simply spam hundreds of thousands of variations of an address until they get a response. (This is how you end up getting spam at addresses that have never been published.) This used to be much more effective back in the day when email servers could be “pinged” to detect a valid address, but now it’s often done through compromising a site and stealing email lists.

A *lot* of large companies will sell their email lists to a “reputable” buyer (like an advertising agency), who then sells it to a less reputable buyer, and so on and so forth…until it ends up in the hands of a seller who will sell or trade the list to anyone, no questions asked.

Spammers also love to flood places like craigslist with an endless stream of ads for all sorts of things and then gather the responses (yes, some people still don’t make use of the craigslist obfuscated email feature). Personal ads are a rich source of email addresses. In case you didn’t already know this, ~95% of all the women’s ads on craigslist personals are utterly bogus- they’re robot-generated ads posted for this very purpose.

Scraping web pages is also a very productive way to get emails- an awful lot of forums show the other member’s email to anyone valid user who’s logged in. Spammers simply make an account and then scrape the entire forum for addresses.

These are just a few of the common ways that they get your email address

Keep in mind that spammers are surprisingly creative and have a lot of time on their hands. It seems almost inevitable that your email address will end up on one list or another. 🙁

Just one thing to say, most of your e-mail addressess will get on spam lists, mostly because of yourself (not literally, but to the common user).

Creating an account on 99% of the websites requires having an e-mail address to send the verfication e-mail to. Once you verify your account, you also verify that the e-mail address provided is genuine, and also functional.

I read some reports that many small websites with huge traffic actually sell thei e-mail DB to this kind of companies who just sells them further but in large packages.

If you are aware of the Google Hacks application, just pull a search containing @domain.com and you will see how many e-mail addresses you can have in minutes. Then, it’s just a matter of days, till you have your very own list of e-mail addresses.

Also, e-mail chains are bad too, not to mention system admins who just get all the db from their companies and then sell them anonymously.

Thanks. Even if Emails (and personal data) are being collected without implicit or explicit intentions of selling the internet is full of stories of huge databases being cracked.

Taking into consideration that such leaks (or sharing/selling) even do not infringe any current laws…

I do not see much difference between selling and not caring much to protect them
After all, the only reason of free online services harvesting / scraping / collecting / stealing personal data is their monetization, implicit or explicit ones, who cares.

The boundaries of non-enforced by law policies are floating, changing and blurring

As an experiment to see just how much span was being generated by my posting in the Washington Post Comments section using my real e-mail address as my identity, whenever an article addressing CHINA appeared, I posted a comment in BOTH English and Simplified Mandarin Chinese characters, that was a translation of the English.

I was TRULY SURPRISED that the WaPo allowed this to continue until just recently, but the reality vs. the paranoia in Chinese Character spam coming into my e-mail address was at first quite limited and it did not build substantially until only recently. As I check my spam content now only 18 of 50 items on page one are Chinese Character spam [sorry Brian but no Russian span LOL].

In 2001-2002 I was customer of a small company (located in United States) doing training related to Cisco Networking, renting racks of Cisco switches and routers to prepare for CCIE Lab, etc.
The company went out of business shortly thereafter and the creditors hired a liquidation company to sell the assets and recover (as much as possible) of the debt.
One of the places they advertise it: the website of the company being liquidated.
They were not only selling tangible assets, but also offering for sale the highly-focused list of 5000 mail addresses from the customers of the company being liquidated. (Among which of course was my email address). – By this, they meant every contact out of the 5000 was highly likely to respond to an offer related to second-hand Cisco equipment, training, etc.
It left me a bitter taste (not that much different from hearing recent news of IPv4 address blocks being sold).
I’m wondering what can be done legally to prevent some liquidators offering for sale lists with customer personal details from a company they are liquidating.

You think that’s bad? How about having your email address sold by a ‘reputable’ company that’s still in business? Years ago, like 1999, I had a TD Ameritrade account. Shortly after completing their web site registration, stock related spam began to flood my pristine inbox.

I was so upset that my precious email address had been sold (I was a non-IT naïve user back then). It became such a chore going through my ISP’s spam filter to weed out my legitimate emails. Did I complain to TD Ameritrade? Nope, I just wallowed in spam misery.

About nine years later, ‘justice’ was served on TD Ameritrade. I received a notice that I could join a class-action lawsuit against TD Ameritrade. My reward if I joined the lawsuit? Free anti-spam software!

Thinking of TD Ameritrade still leaves a bad taste in my mouth. I’m sure my wife is tired of me booing at their commercials.

With any company which goes bankrupt, the bankruptcy court can consider any of its assets to have value, which can be sold to raise money to reimburse the creditors.

This includes information it gathered to run its business, such as personal privacy information on its customers … their e-mail addresses, bank account info, unless the laws against breaching confidentiality specifically also apply to the bankruptcy courts, and are being enforced against them. (Government institutions may be exempt from some laws.)

If you are referring to the U.S., what laws did you have in mind? There are some very focused ones (like HIPPA, GLBA; the Privacy Act of 1974 covers only government) but I am aware only of talk about broadly protecting our privacy. So far commercial interests are able to quash any attempt at real protection. Our European brethern look on with amazement.

In the USA, it is legal for anyone to collect data on anyone, and not tell anyone that this is being done, including the people the data is about. There is no mandate to make any effort to make sure the data is correct, except in a handful of industries, where the pressure to do so is more corporate than government mandate. For example, I recently changed my address for postal delivery, because of some money I getting in snail mail, and I wanted to improve my safety. To my dismay, the post office did not need any proof from me that I was who I said I was, but several places contacted me to confirm the change in address, but also proof who I am was not asked. This sort of thing is why identity theft is so easy.

Privacy laws primarily apply to who is authorized to access various types of data, such as financial and medical. Enforcement of these laws varies greatly.

Breach laws pertain to divulging discovery of unauthorized access.

Privacy and Breach laws exist in most, but not all US states. Both federal and state laws are very specific as to which types of organizations they apply to (a tiny minority of all, except in a few industries).

In other words, for most organizations in the USA, it is legal to amass all sorts of info on people, and do as you please with the info.

I am starting to notice a lot of scams, for me personally, are coming from India. I got two emails recently after looking in my spam folder. Both involved search engine optimization and other online marketing services.

The first one was offering me the ability to make money through advertising, like Google AdSense, but after looking on the page a bunch of red flags came up. Things were misspelled, only 2 advertisers were listed on the whole page and just reeked of a scam after I checked the WHOIS information – 2 week old domain name but claims of being in the business for years!

The latest one was a SEO service scam where I was “selected” for their services. They openly admitted to being based in New Delhi, however, the email was sent from a free email account and no mention of the website they run! Scam scam scam!

Great article! I’m administrator at an anti fraud site and my email address there, which is more public than my other addresses, receives more scam emails than any other address I use.
In fact, some scammers, often romance type scams, target you by mentioning where they found your address; ie: “I saw your profile at websitename.com”.
I am also a scambaiter and have seen many mentions of this by other baiters who sign a guestbook at 419Baiter specifically set up for baiters to use to “catch” more scam emails.

I’ve even had a scammer who targeted me via my anti fraud site address continue on correspondence for a bit, obviously not paying any attention to the website address at all, nor reading the auto response that was full of anti scam information.http://forum.419eater.com/forum/viewtopic.php?t=192722

There are various schemes of legally collecting and reselling Emails that you yourself provide while not caring to read TOS (or EULA) of online services

If you search for (gravatar privacy concern) keywords you would find a lot of interesting things. For ex., comment tohttp://techthinker.com/gravatar-privacy-concern/
tells:
” I am far more concerned that Gravatar-enabled blogs send my e-mail address to Gravatar whenever I comment (even if I am not a registered Gravatar user). Gravatar can then track my internet usage associated with that e-mail address across multiple sites”

And the ToS of Gravatar is written in such evasive way, that nothing impedes Automattic, the Gravatar provider, to sell collected Emails.

Another possible way is to collect Emails through free funny captchas.
Once plugin with this captcha is installed, it collects and sends all emails from “protected” comments, registration forms, forum posts, etc. to its provider servers

Hopefully if you use nothing but bogus information everywhere you signup for things like this, the less likely it traces the real person. This won’t stop the PRC police, but maybe it will make it a little harder for the crooks.